Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 7 Feb 2008 07:10:42 +0300
From: Solar Designer <>
Subject: Re: Joomla password hashes

On Wed, Feb 06, 2008 at 10:09:17AM -0500, Steve ...... wrote:
> Im a little confused.. so I would have to add that below line for line to my
> john.conf and run john wait a couple days then modify it again changing it
> line by line run john on another hash?.. sounds like a lot of work and time.

That's correct - although it's up to you to decide how long to let it run
on just one hash - a couple of days sounds excessive to me if you have a
lot of hashes.  In fact, if you choose to test for just the initial
passwords (those not changed by the users), then you'd need just a few
seconds per hash.

Good news (just kidding): with Joomla on PHP below 5.2.1, there can be
at most 1 million different salts, so you wouldn't have to run JtR more
than 1 million times even if you have more than 1 million of hashes. ;-)
They use the same code to generate initial passwords and salts.  (This
also means that salts might leak info on initial passwords, reducing the
typical search space from 1 million of candidate passwords even

This external mode that I posted was primarily a proof-of-concept.  For
actual use on a large number of hashes, you'd want support for these
hashes added to JtR itself.

> is it completely pointless to run john on the hash itself leaving out the
> salt?..

Yes, it is.


To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.